Over the last few years, many organisations have ‘upgraded’ their Business Continuity Manager roles to Resilience Manager positions. However, it’s not clear whether the function or the expertise required to support it have actually changed. Has one term simply been used to replace the other, and if it has, is vital nuance being lost?
How Business Continuity Practices Evolved
Business Continuity Management (BCM) superseded Business Contingency Planning (BCP), which in turn grew out of Disaster Recovery (DR) – a term that is still applied and widely used now. When it was coined, DR was a raw, truly functional activity description which focused on reliably repeating the very precise technical steps needed to recover a piece of systemware. Often this occurred with little understanding of why we were doing it or where the deadline came from.
BCP expanded on this by focussing on creating a plan that the entire business could follow. In time, BCM surpassed this plan by installing a management system that included all related activities. This meant that practices were standardised heavily, but were largely still concerned with doing things in a controlled way. This is why BCM works, because it is goal-centric, and creates a growing and constantly improving capability.
How Organisational Resilience Differs
Fundamentally, resilience is different because it focusses on maximising an intangible organisational resource, rather than on a set of steps, capabilities or goals. An organisation seeking resilience will speak and plan in terms of its toughness, bounce-back and so on. This means that resilience management can’t be so easily prescribed as it represents a sphere of capability that is as abstract and all-encompassing as the organisation to which it applies.
When you read the BS 65000 Guidance on Organisational Resilience, you soon realise that resilience comes surprisingly close to universal management disciplines such as TQM (Total Quality Management), Kaizen and the like.
Conversion from BC to resilience may require a big step depending on how you approach it. It potentially means moving from a detailed knowledge of a few well-defined technical areas, to creating a joined-up oversight and understanding of perhaps 20 or 30 disciplines. While many of these areas overlap, most are the domain of managers who won’t relinquish them easily. How will you approach the task and what kind of mandate will you need to make a success of it?
How to do Organisational Resilience Well
Resilience may be seen as more of a governance role, measuring how individual areas perform and how well they close gaps to deliver the universally tough shell the organisation desires. To do it justice, you’ll need:
- Good metrics
- A defined appetite
- A budget to fund gap closure
You’ll also need to be able to educate executives and managers on:
- What to expect
- How to set targets and allocate funding
- And how to interpret KPIs
Naturally, some organisations will find this easier than others. Managers in strong hierarchies will resist having changes imposed in the name of resilience, a term that perhaps does not yet feature in their objectives or incentive plans. Conversely, those with robust governance structures already in place may find resilience fits conveniently and confers benefits, not least additional budget from an unexpected quarter.
Understanding the Guidelines
Both BS 65000 and the upcoming ISO 22316 are resilience guidelines, as opposed to standards, and this means they don’t prescribe an approach. Organisations will have to interpret them for themselves, buy-in the expertise or adapt an existing resource. Many, having invested in a standards-aligned business continuity management system will be wondering if they can re-deploy it into the new resilience role. Our guide to BS 65000 can help you develop your capabilities.